More ssh-add & gnome-keyring.

I've updated my gnome-keyring SSH_ASKPASS program to improve the user experience. However to get this 100% I need some changes to ssh-add so that there is a stable interface between it and the SSH_ASKPASS program.

The new version will read the environment variable GNOME_KEY_ASKPASS and if that is an executable and gnome-keyring needs to prompt for a pass phrase it will use that program to do the prompt, reading the pass phrase from standard out of that program, in the same way that SSH_ASKPASS does for ssh-add. It will then store that pass phrase in the keyring and output that to standard output for ssh-add.

So to use this I have this in my .dtprofile file:

: enoexec.eu FSS 184 $; tail  -11 ~/.dtprofile
if whence gnome-keyring > /dev/null
then
        export SSH_ASKPASS=gnome-keyring
        if  whence xsshaskpass > /dev/null
        then
                export GNOME_KEY_ASKPASS=xsshaskpass
        fi
elif whence xsshaskpass > /dev/null
then
        export SSH_ASKPASS=xsshaskpass
fi
: enoexec.eu FSS 185 $; 

Then of course you need the xsshaskpass program. This just pops up a window and prompts the user to enter the key. There are lots of these around and I've always wondered why solaris does not have one (if it does let me know). Since they are trivially simple to write I guess it is just another way of making Solaris a little bit more elite. Here is my solution to this. Save it as xsshaskpass somewhere in your path and make it executable:

#!/usr/bin/ksh -p
#\\
if [[ -x /usr/bin/wish ]]  ; then
# \\
        exec /usr/bin/wish -f "$0" ${1+"$@"} 
#\\
elif [[ -x /usr/sfw/bin/wish8.3 ]]  ; then
# \\
        exec /usr/sfw/bin/wish8.3 -f "$0" ${1+"$@"} ; else
# \\
        exec wish -f "$0" ${1+"$@"} ; fi
. config -borderwidth 10
label .l -text "[lindex $argv 0]"
entry .e -width 30 -show {\*}
frame .buts
button .buts.doit -text o.k. -command { puts [.e get ] ; exit 0}
button .buts.quit -text quit -command { exit 0}
pack .buts.doit .buts.quit -side left
pack .l .e .buts
tkwait window .
exit 0

The nice thing about this is that this is all you have to do to set this up and could be set up by the administrator. When ssh-add first runs when you login it will prompt you twice (see below) for your pass phrase and that then gets stored in the gnome-keyring. Assuming you entered the correct pass phrase then that is it. You never have to enter your ssh pass phrase again.


However since there is no way for the gnome-keyring program to know if the pass phrase that is read from the user is good it can end up storing a bad pass phrase in the keyring. To minimize this risk it prompts the user twice for the pass phrase until the user enters the same phrase twice. Once a bad pass phrase is in the keyring you have to use gnome-keyring-manager to delete it. Unfortunately all the gnome-keyring program has to go on when a bad passphrase is found is that is called with the arguments “Bad passphrase, try again: " which does not tell the program which key is bad. There are various hacks that could be performed to work around this but I'm coming to the conclusion the simplest would be to modify ssh-add to have it put the name of the file for which it is prompting into the environment of the SSH_ASKPASS program and hence the gnome-keyring program so that it can be read from there. With that in place it would not matter if a bad pass phrase was stored in the keyring since when the user eventually gets the pass phrase right it would still be stored.

Comments:

Hi Chris,<br/>
Slightly related is that gdm/PAM can be configured to automatically unlock a user's gnome-keyring iff the PAM password and gnome-keyring password match.<br/>http://ubuntu-tutorials.com/2007/07/12/automatically-unlocking-the-default-gnome-keyring-pam-keyring/ has the scoop :)

Posted by Lewis on August 30, 2007 at 01:34 PM BST #

Post a Comment:
Comments are closed for this entry.
About

This is the old blog of Chris Gerhard. It has mostly moved to http://chrisgerhard.wordpress.com

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today